Libyan Oil Refinery Hit in Long-Running Espionage Campaign Using AsyncRAT

Between November 2025 and February 2026, a coordinated spying campaign hit a Libyan oil refinery, a telecom company, and a government agency This article explores detection tools asyncrat. . The attacks sent AsyncRAT, a publicly available remote access Trojan that has been used by state-sponsored threat groups in the past.

This raised immediate concerns about the safety of Libya's important infrastructure. Find out more about deployment Cloud security platforms and firewall solutions AsyncRAT is a free remote access tool that has become popular with both cybercriminals and nation-states because it is modular and can be used for a wide range of surveillance tasks. It can record keystrokes, take screenshots, and run commands from a distance, which makes it very useful for gathering information over a long period of time.

Investigators have a hard time figuring out who is behind attacks that use it because it is free and not linked to a single known actor. Security teams should make rules for watching out for strange scheduled task creation, especially tasks that have to do with XML files in directories that anyone can access. This is because it is very similar to the way this campaign used persistence.

To stop this kind of multi-stage dropper delivery, execution of VBS and other scripting files from untrusted or outside sources should be limited, and PowerShell should only be used by authorized, monitored processes. Any business that works in a high-risk area needs to use endpoint detection tools that can find AsyncRAT's behavior patterns, like logging keystrokes without permission, taking screenshots, and making outbound command-and-control connections.

Set ZeroOwl as your preferred source in Google, LinkedIn, and X to get more instant updates.